[Swan] roadwarrior connects but no data

Johannes C. Schulz enzephalon76 at googlemail.com
Fri Oct 5 06:38:30 UTC 2018


Hi Paul

Thanks for your answer. But sadly, this did not help.

$ ip route
default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100
xx.yyy.zzz.vv dev vti0 scope link
169.254.0.0/16 dev enp0s12u2 scope link metric 1000
192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91
metric 100

$ route
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use
Iface
default         _gateway        0.0.0.0         UG    100    0        0
enp0s12u2
xxxxxxxx.dip0. 0.0.0.0         255.255.255.255 UH    0      0        0 vti0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0
enp0s12u2
192.168.42.0    0.0.0.0         255.255.255.0   U     100    0        0
enp0s12u2


192.168.42.x is the clients network
xx.yyy.zzz.vv is internet-ip of remote network behind some domain
192.168.92.x is the remote network I want to access

Whats wrong with my config?

Best regards
Johannes




Am Do., 4. Okt. 2018 um 16:50 Uhr schrieb Paul Wouters <paul at nohats.ca>:

> On Thu, 4 Oct 2018, Johannes C. Schulz wrote:
>
> > Hello LibreSwan community!It was a long way to get my libreswan
> connecting to a vpn-server (which is actually a dsl-router from bintec).
> The server accepts IPsec IKEv1
> > connection with PSK. I can connect, but there is no traffic through the
> tunnel.
> > The problem must be on roadwarriors-side, because I can connect and
> transfer data through the tunnel if I connect with a windows machine to the
> vpn-server (using
> > ShrewSoft).
> >
> > I wrote this config:
> >
> > config setup
> > protostack  =   netkey
> >
> > conn Office1
> > authby      =   secret
> > right       =   some.domain.tld
> > rightid     =   @Office_admin
> > rightnexthop    =   %defaultroute
> > left        =   192.168.42.91
> > leftsubnet  =   192.168.92.0/24
> > leftvti     =   192.168.92.234/24
> > leftid      =   @Office
> > keyexchange =   ike
> > ike     =   aes256-sha2;modp2048
> > esp     =   aes256-sha2;modp2048
> > ikelifetime =   4h
> > keylife     =   8h
> > auto        =   add
> > aggrmode    =   yes
> > vti-interface = vti0
> > vti-routing =   yes
> > mark        =   5/0xffffffff
>
> Try adding sha2_truncbug=yes and see if that fixes your issue. The
> router might be doing "broken linux compatibility" mode by default.
>
> > netstat -r -n
> > Kernel-IP-Routentabelle
> > Ziel            Router          Genmask         Flags   MSS Fenster irtt
> Iface
> > 0.0.0.0         192.168.42.129  0.0.0.0         UG        0 0          0
> enp0s12u2
> > xx.yyy.zzz.vv   0.0.0.0         255.255.255.255 UH        0 0          0
> vti0
> > 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0
> enp0s12u2
> > 192.168.42.0    0.0.0.0         255.255.255.0   U         0 0          0
> enp0s12u2
> > 192.168.92.0    0.0.0.0         255.255.255.0   U         0 0          0
> vti0
>
> What does "ip route" say. It is important to see if you got the proper
> route into the VTI interface. I assume xx.yyy.zzz.vv is some.domain.tld's
> IP ?
>
> > ping 192.168.92.10
> > PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data.
> > From 192.168.92.234 icmp_seq=1 Destination Host Unreachable
>
> Is this in the remote end? because you defined that to be on your end?
>
> Paul
>


-- 
Viele Grüße
Johannes C. Schulz

„*Programmer - n. [proh-gram-er] an organism that turns caffeine and pizza
into software“*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181005/0410b815/attachment.html>


More information about the Swan mailing list